Granting remote user (non admin) the ability to enumerate services in Win32_Service in namespace cimv2 using WMI & C#

Question

I'm creating a watch dog service that will be monitoring other services on various remote servers (all in the same domain). The user that I'm using to connect to the remote servers is not an admin. When I try to enumerate the services in the Win32_Service class, I get an access denied error.

I've given the user 'Remote Enable' & 'Enable Account' persmissions to the Root\CIMV2 namespace in the WMI Control.

I am able to connect to the server with the following code. The object ServiceListItem is just a simple class that contains the server name and the service name:

SecureString secureString = new SecureString();

foreach ( char c in "password" )
{
    secureString.AppendChar( c );
}

ConnectionOptions connectionOptions = new ConnectionOptions();

connectionOptions.Username = "domain\\user";
connectionOptions.SecurePassword = secureString;

foreach ( ServiceListItem service in _serviceList )
{
     ManagementScope managementScope = new ManagementScope();
     managementScope = new ManagementScope( String.Format( @"\\{0}\root\cimv2", service.ServerName ), connectionOptions );
     managementScope.Connect();

     //RelatedObjectQuery relatedObjectQuery = new RelatedObjectQuery( String.Format( "Win32_Service.Name='{0}'", service.ServiceName ) );
     //ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, relatedObjectQuery );

     ObjectQuery objectQuery = new ObjectQuery( "SELECT * FROM Win32_Service WHERE Name = '" + service.ServiceName + "'" );
     ManagementObjectSearcher objectSearcher = new ManagementObjectSearcher( managementScope, objectQuery );

     ManagementObjectCollection objectCollection = objectSearcher.Get();

     foreach ( ManagementObject managementObject in objectCollection )
     {
          serviceStatus = managementObject.Properties["State"].Value.ToString();
          Debug.Print(service.ServiceName + " - " + serviceStatus);
          //break;
     }
}

The managementScope.Connect() runs fine, which means the wmi security on cimv2 is set up correctly. However, when I try to enumerate the objectCollection, I get the 'Access Denied' exception. This tells me (I think) that the user doesn't have permissions to enumerate the Win32_Service class (SC_MANAGER_ENUMERATE_SERVICE).

I just haven't been able to find any good examples on how to enable that permission for a remote user. I'm not very experienced when it comes to coding with Windows api's, so please be as detailed as possible in your answers :)

Answer 1

Trying to find the same answer myself today, I've been doing a lot of googling. After a good half hour of incantations, I found this MSDN article (907460) which uses sc sdet. It seems to work so far, even though the security descriptor is for Windows Server 2003. I've found you can do sc sdshow SCMANAGER to get the current value so when back in the office tomorrow I'll be comparing an contrasting to make sure I've not locked something out I shouldn't have :-)

For completeness, the notes in KB907460 (in case it moves/goes away):

Symptoms: After you install Microsoft Windows Server 2003 Service Pack 1 (SP1), non-administrators cannot remotely access the Service Control Manager.

Cause: Windows Server 2003 SP1 changes the Service Control Manager default security settings.

Resolution: To resolve this issue, use version 5.2.3790.1830 of the Sc.exe tool. This tool is located in the %windir%\System32 folder. To do this, follow these steps:

• Click Start, click Run, type cmd, and then click OK.

• Type the following command at the command prompt, and then press ENTER:

  sc sdset SCMANAGER D:(A;;CCLCRPRC;;;AU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
  

Answer 2

I found myself stuck into a similar problem. In my case it had nothing to do with permissions, which I did set by following this link: http://www.poweradmin.com/help/enableWMI.aspx

So, After hours of wondering lost I found this article that tells how UAC interfere with your set of permissions and how can you fix that: http://www.solarwinds.com/documentation/apm/docs/APMWMITroubleshooting.pdf

In my case, the registry key didn't existed, so I created it.

Hope this helps also, cheers!